You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hbase.apache.org by "Josh Elser (JIRA)" <ji...@apache.org> on 2017/03/01 23:27:45 UTC

[jira] [Created] (HBASE-17717) Incorrect ZK ACL set for HBase superuser

Josh Elser created HBASE-17717:
----------------------------------

             Summary: Incorrect ZK ACL set for HBase superuser
                 Key: HBASE-17717
                 URL: https://issues.apache.org/jira/browse/HBASE-17717
             Project: HBase
          Issue Type: Bug
          Components: security, Zookeeper
            Reporter: Shreya Bhat
            Assignee: Josh Elser
             Fix For: 2.0.0, 1.3.1, 1.1.10, 1.2.6


Shreya was doing some testing of a deploy of HBase, verifying that the ZK ACLs were actually set as we expect (yay, security).

She noticed that, in some cases, we were seeing multiple ACLs for the same user.

{noformat}
'world,'anyone
: r
'sasl,'hbase
: cdrwa
'sasl,'hbase
: cdrwa
{noformat}

After digging into this (and some insight from the mighty [~enis]), we realized that this was happening because of an overridden value for {{hbase.superuser}}. However, the ACL value doesn't match what we'd expect to see (as hbase.superuser was set to {{cstm-hbase}}).

After digging into this code, it seems like the {{auth}} ACL scheme in ZooKeeper does not work as we expect.

{code}
      if (superUser != null) {
        acls.add(new ACL(Perms.ALL, new Id("auth", superUser)));
      }
{code}

In the above, the {{"auth"}} scheme ignores any provided "subject" in the {{Id}} object. It *only* considers the authentication of the current connection. As such, our usage of this never actually sets the ACL for the superuser correctly.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)